Method for providing a program module in a communications system

ABSTRACT

A method provides a program module in a communications system. The program module is accommodated by a server, the program module is transmitted to a subscriber terminal, a test criterion is calculated each time inside a security device and in the subscriber terminal by using the program module and an individual key. By comparing the test criterion, it is determined whether the program module has been defectively received by the subscriber terminal.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is based on and hereby claims priority to PCTApplication No. PCT/DE01/02735 filed on 19 Jul. 2001 and German PatentNo. 100 35 171.9 filed on 19 Jul. 2000, the contents of which are herebyincorporated by reference.

BACKGROUND OF THE INVENTION

The invention relates to a method for providing a program module in acommunications system, in particular in a radio communications system.

In present-day computer networks, a client/server structure isfrequently used in order to provide new software, which is generallyalso referred to as a software upgrade. This client/server structure isdistinguished by a hierarchical structure, with the software beingstored in a relatively high-level server computer which provides therequired software to client servers, which are connected to the server,when requested by these client computers.

Against the background of this basic model, which is also referred to asa single server architecture, there are further modified forms in which,for example, a plurality of servers process the requests from a largenumber of lower-level clients (multi-server architecture). So-calledproxy servers may also be used for temporary storage of the software,and these are arranged between the client and the server in thehierarchy. The software which is requested by a client is temporarilystored in the proxy server in this architecture, so that, when it isrequested once again by a different client, the software can berequested directly from the proxy server (which is generally locatedphysically closer). This method is used, by way of example, fortemporary storage of web pages that are called up frequently on theInternet.

In radio-based cellular communications networks such as the alreadyexisting GSM network (Global System Mobile), the planned UMTS network(Universal Mobile Telecommunications System) has a third generationmobile radio network or the Hiperlan/2 system as a future wireless LANsystem, it is also necessary to carry out software upgrades, for examplean upgrade to a WAP (Wireless Application Protocol) browser.

In this case, the software may be provided either by the manufacturer ofa subscriber station, by a network operator, or else by an independentservice provider.

In these methods, the connection between the server and a client isscrambled in order to distribute contents and software and/or programmodules in a secure manner. Symmetric or asymmetric methods, such as PGP(Pretty Good Privacy) or SSL (Secure Socket Layer) are used in this caseaccording to the related art. However, these methods have thedisadvantage that they cannot prevent the contents and/or the softwarebeing modified by network components via which this information istransmitted to the subscriber terminal.

EP 0813132 A2 describes a method for distributing a program code, inwhich a trustworthy third party creates a certificate for the programcode, which is distributed together with the program code. A receivingsystem can confirm the integrity of the certificate, and hence also theintegrity of the program code, by checking this certificate.

SUMMARY OF THE INVENTION

One potential object of the invention is thus to create a method forproviding program modules in a communications system, which allowssecure reception of the program modules by a subscriber station.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other objects and advantages of the present invention willbecome more apparent and more readily appreciated from the followingdescription of the preferred embodiments, taken in conjunction with theaccompanying drawings of which:

FIG. 1 shows a block diagram of a communications system, in particularof a radio communications system,

FIG. 2 shows the transmission of a program module from a server to asubscriber terminal and to a further subscriber terminal,

FIG. 3 shows the transmission of a program module, as shown in FIG. 2,with a security check according to one aspect of the invention,

FIG. 4 shows the transmission of a program module from a server to asubscriber terminal with a first security concept option, and

FIG. 5 shows the transmission of a program module from a server to asubscriber terminal as shown in FIG. 4, with a second security conceptoption.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

Reference will now be made in detail to the preferred embodiments of thepresent invention, examples of which are illustrated in the accompanyingdrawings, wherein like reference numerals refer to like elementsthroughout.

FIG. 1 shows a detail of a radio communications system as an example ofa communications system in which the invention can possibly be used. Theillustration shows the structure of a HIPERLAN/2 system. A system suchas this has a plurality of base stations BS which are connected to anIP-based backbone. These base stations BS are used for assigning radioresources to subscriber terminals UE (user equipment) for routing andtransmission of incoming and outgoing data packets (PDU Packet DataUnit) via a radio interface. The subscriber terminals UE are in thiscase, for example, in the form of mobile stations or other types ofmobile and stationary terminals. Each base station BS supplies radioresources to at least one radio cell Z.

As is illustrated by way of example in FIG. 1, the subscriber terminalUEb is located outside the radio cell Z of the base station BS. In thiscase, according to the related art, it would be impossible for this basestation BS to supply radio resources to this subscriber terminal UEb.However, signals can be transmitted in the uplink direction UL and thedownlink direction DL by using a subscriber terminal UEa, which islocated in the supply area of the base station BS, as a relay station toform a so-called multihop system. In this case, the relay station UEapasses on the signals received in the respective transmission direction,for example using the same carrier frequency as the base station BS. Asis illustrated by way of example, each relay station UEa, UEc in turnforms a small radio cell, thus enlarging the effective extent of theradio cell Z of the base station BS.

As has already been described in the introduction, a client/serverstructure is frequently used in present-day computer networks forproviding new software, which is generally also referred to as asoftware upgrade. This client/server structure is distinguished by ahierarchical structure, with the software being stored in a relativelyhigh-level server computer which provides the required software toclient computers, which are connected to the server, when requested bythese client computers.

Against the background of this basic model, which is also referred to asa single server architecture, there are further modified forms in which,for example, a plurality of servers process the requests from a largenumber of lower-level clients (multi-server architecture). So-calledproxy servers may also be used for temporary storage of the software,and these are arranged between the client and the server in thehierarchy. The software which is requested by a client is temporarilystored in the proxy server in this architecture, so that, when it isrequested once again by a different client, the software can berequested directly from the proxy server (which is generally locatedphysically closer). This method is used, by way of example, fortemporary storage of web pages that are called up frequently on theInternet.

In radio-based cellular communications networks such as the alreadyexisting GSM network (Global System Mobile) or the planned UMTS network(Universal Mobile Telecommunications System) as a third generationmobile radio network it is also necessary to carry out softwareupgrades, for example an upgrade to a WAP (Wireless ApplicationProtocol) browser.

In this case, the software may be provided either by the manufacturer ofa subscriber station, by a network operator, or else by an independentservice provider.

If one of the client/server architectures described in the introductionis used for a software upgrade, with the software in this case beingstored centrally on servers in the mobile radio network and beingtransmitted from there to each individual subscriber station, thisresults in unacceptable waiting times, however, when there are a largenumber of subscriber stations.

Furthermore, in mobile communications networks and in contrast to alandline network, it is impossible to associate one subscriber terminalwith one access to the network. In consequence, when software isprovided centrally by a relatively high-level server (for example by abase station), each subscriber terminal in the communications networkmust ask the respective server, at regular time intervals, whether thereis any new software to download. This produces an additional load.

One possible way to solve this problem is to provide the softwareupgrade in the form of a “snowball” system. Each subscriber terminalwhich is registered in a cell and which has stored the software and/orthe program module can transmit this to further subscriber terminalswhich are registered in that cell. Each subscriber terminal is thus notonly a client but also a server. Direct transmission of the softwarefrom one subscriber terminal to one or more further subscriber terminalsallows the software to be disseminated virtually exponentially. In acorresponding way, the time taken to provide the software to all thesubscriber terminals which are registered in a cell can be reduced byseveral times.

Also, and advantageously in comparison to a hierarchical client/serversystem, resources are saved since, at the start of the process, thesoftware can be transmitted from only one server to one subscriberterminal in the communications system, which can then pass on thesoftware to the other subscriber terminals in the system.

Since the software can be transmitted from one subscriber terminal to afurther subscriber terminal on the direct path, and network devicecarries out any signaling tasks, this also conserves resources.

However, this method has been found to be subject to a problem in thatthe respective receiver of a program module can modify this programmodule, for example after unpacking and installation, beforetransmitting it to a further subscriber terminal. This manipulationcapability is illustrated, by way of example, in FIG. 2.

A secure connection is set up between a server and a first subscriberterminal UEa. This may be protected, for example, by a known scramblingprogram. In a firststep (1), the first subscriber terminal requests aprogram module SP (software packet) which is transmitted in a secondstep (2) to the first subscriber terminal UEa. After unpacking andinstallation of the program module SP, this program module SP can bemanipulated by the first subscriber terminal UEa and can be packed onceagain, step (4). If a further subscriber terminal UEb now requests theprogram module from the first subscriber terminal UEa in a fifth step(5), then the first subscriber terminal UEa sends the manipulatedprogram module SP* to the further subscriber terminal UEb, step (6).Installation of this manipulated program module SP*, step (7), whichnow, by way of example, has a virus, can disadvantageously lead tomalfunctions in the further subscriber terminal UEb.

This problem can be solved by allocating an individual key PK (privatekey) to each subscriber terminal UE or to each subscriber, which can beused, for example, to calculate a respective checksum. This key is, forexample, stored in a memory device (SIM, UIM) in the subscriberterminal, and is protected against being read without authorization.

In addition to the storage of the key in the subscriber terminal, thiskey is stored in a security device. This security device may, forexample, be implemented in a corresponding manner to a so-calledsecurity box SB, a trust center TC or an authentication center AC as acomponent of the communications system, or independently of it. Thesecurity device is advantageously associated with one respectiveprovider, and provides the program modules. The provider may, forexample, be a manufacturer (equipment supplier), operator, serviceprovider, application provider or content provider. An individual keyfor the various providers can be stored in the terminal or in anexternal memory medium (smart card), which is supplied to the subscriberterminal.

In addition, the address (E.164, URL, . . . ) may also be stored forrouting purposes in the security device, in which case the address mayalso be stored in the communications system, for example together withthe subscriber profile.

If, by way of example, a program module (software update) is transmittedin unscrambled form or in scrambled form from a manufacturer (SiemensAG) or the manufacturer's server to the subscriber terminal . Afterreceiving the program module, the subscriber terminal uses anappropriate key (from the manufacturer) in order to calculate a checksumfrom that key and the program module. This calculcated checksum istransmitted to the manufacturer's or the communications system'ssecurity device. In addition, in this case, the subscriberidentification may also be transmitted in order to identify thesubscriber or the subscriber terminal. This subscriber identificationmay, in a mobile radio system by way of example, be the IMEI(International Mobile Equipment Identity) or, in some othercommunications system, a unique symbolic name, for example the e-mailaddress. In the same way, the address of the provider can also be storedin the subscriber terminal, together with the key.

The security device uses the stored key and the program module which haslikewise been received from the server to calculate a checksum in thesame way. The respective checksum which is calculated in the securitydevice and that which is calculated in the subscriber terminal are thencompared. If the checksums match, then the program module has beenreceived without any corruption by the subscriber terminal and cansubsequently be installed in the subscriber terminal, after confirmationby the security device. If, on the other hand, the checksums do notmatch, then the subscriber station has received a program module witherrors, or a corrupted program module. The subscriber terminal then doesnot install the program module and, possibly, signals to the securitydevice the source or the subscriber terminal from which it received thisprogram module. Because the identity of the source or subscriberterminal is stored in the security device, the user of the securitydevice can then, if required, take suitable steps with regard to thefaulty source, such as blocking that subscriber terminal.

The method according offers, inter alia, the following advantages:

possible use of security algorithms as are already nowadays used forsubscriber authentication in mobile radio systems, for checking thatreceived program modules have no errors,

possible use of terminal-specific information, such as the IMEI, forchecking that received program modules have no errors,

a known SSL mechanism may be used for passing on program modules,provided that this is desired by the issuing authority, and

the SSL mechanism can likewise be used for distribution of the keys forchecksum calculation, if the key in the subscriber terminal is intendedto be updated from time to time, in order to improve security.

Based on FIG. 2, FIG. 3 shows how a security concept can be implementedin a described environment. In a first step (1), a first subscriberterminal UEa requests a program module SP, which is transmitted in asecond step (2) from the server S to the first subscriber terminal UEa.In a third step (3), a first checksum CSa is calculated in the firstsubscriber terminal UEa based on the program module SP and a firstterminal-specific or subscriber-specific key PKa. This calculatedchecksum CSa is sent to the security device TC/SB, where it is comparedwith a checksum CSa calculated in the same manner in an initial step(0). In this case, the checksum may be transmitted to the securitydevice in a scrambled form. If the security device TC/SB confirms thatthe checksums are identical, then it signals this fact to the firstsubscriber terminal UEa which then installs the program module SP, in afifth step (5).

If, in a sixth step (6), a second subscriber terminal UEb now requeststhe program module SP from the first subscriber terminal UEa, and thefirst subscriber transmits the program module SP* to the secondsubscriber terminal UEb in a seventh step (7). In a corresponding way tothe third step (3), a second checksum CSb is calculated in the secondsubscriber terminal UEb, in an eighth step (8), based on the programmodule SP* and a second terminal-specific or subscriber-specific keyPKb, and this is then transmitted to the security device TC/SB, step(9), where the checksums CSb are once again compared. Once it has beenconfirmed that the checksums CSb match, the program module SP* isinstalled in the second subscriber terminal UEb in a tenth step (10).

FIG. 4 will now be used by way of example to explain how known securitycomponents of a mobile radio system can advantageously be used for themethod. In a first step (1), a sum Sum is calculated from a programmodule SP in a device, using a known method. The device may in this casebe incorporated in the security device SB, in the case of a mobile radiosystem, by way of example, in the central authentication center AC, orseparately from the security device SB. A compressed program module mayalso be defined, by way of example, as the sum Sum. In a second step(2), a checksum CSc is calculated by the standardized key PKc (kc), inwhich case the calculation can be carried out in a corresponding mannerto the calculation of RES and SRES in the GSM mobile radio system. Thesum Sum and the checksum CSc are then transmitted to a central device NEin the communications system, for example to the HLR (Home LocationRegister) or to the VLR (Visitor Location Register). In addition to thisinformation, the respective information item or an indicator relating tothe program module SP and/or in relation to the subscriber terminal UEcor to the subscriber can be transmitted to the central device NE.

A sum is produced from the program module SP in the same way in thesubscriber terminal UEc, and a checksum CSc is calculated by the sum andthe key PKc. The checksum CSc is then transmitted in a fourth step (4)to the central device NE, with an indicator for the received programmodule SP likewise also being transmitted. If the central device NEfinds a match between the stored checksum CSc and the checksum CSctransmitted by the subscriber terminal UEc, then the program module SPcan be installed in the subscriber terminal UEc, after appropriateconfirmation from the central device NE.

FIG. 5 shows an implementation of the security concept as an alternativeto that shown in FIG. 4. In this case, in contrast, the checksum CS iscalculated from the determined sum Sum and from the IMEI (InternationalMobile Equipment Identity), which is known from the GSM mobile radiosystem. The IMEI is used to calculate the checksum CS in the same way inthe subscriber terminal UEc. In this case, by way of example, the EIR(Equipment Identification Register) may also be used as central deviceNE for carrying out the comparison of the checksums CS, since the keywhich is used is terminal-specific.

The invention has been described in detail with particular reference topreferred embodiments thereof and examples, but it will be understoodthat variations and modifications can be effected within the spirit andscope of the invention.

1. A method for providing a program module in a communications system,comprising: making the program module available from a server,transmitting the program module to a subscriber, calculating a checkingcriterion every time the program module is transmitted, the checkingcriterion being separately calculated in a security device and at thesubscriber, the checking criterion being calculated based on thecontents of the program module and based on an individual key associatedwith the subscriber, and comparing the checking criterion calculated inthe security device with the checking criterion calculated at thesubscriber in order to determine whether errors are contained in theprogram module received by the subscriber.
 2. The method according toclaim 1, wherein the subscriber has an associated subscriber terminal,the program module is transmitted from the server to the subscriberterminal, and the key is specific to the subscriber terminal.
 3. Themethod according to claim 1, wherein the program module is transmittedfrom the server to a subscriber terminal, each subscriber terminal hasat least one subscriber associated therewith, and each subscriber of thesubscriber terminal has an individual key.
 4. The method according toclaim 1, wherein the program module is transmitted to a plurality ofsubscribers, and each subscriber has an individual key.
 5. The method asclaimed in claim 1, further comprising scrambling the program moduleprior to transmission to the subscriber.
 6. The method as claimed inclaim 1, further comprising installing the program module at thesubscriber only if it has been received without errors.
 7. The method asclaimed in claim 1, wherein the server transmits the program module to afirst subscriber, and the method further comprises: transmitting theprogram module from the first subscriber to a second subscriber;calculating the checking criterion separately in the security device andat the second subscriber, the checking criterion being calculated baseda key specific to the second subscriber and based respectively on theprogram module transmitted to and received by the second subscriber; andcomparing the checking criterion calculated in the security device withthe checking criterion calculated at the second subscriber in order todetermine whether errors are contained in the program module received bythe second subscriber.
 8. The method as claimed in claim 1, wherein ifthe program module has been received with errors, an identifier of theserver which sent the program module is stored in the security device.9. The method as claimed in claim 1, wherein the key is stored in thesecurity device.
 10. The method as claimed in claim 1, wherein thechecking criterion calculated by the subscriber is transmitted to acentral device in the communications system, and the checking criteriaare compared in the central device.
 11. The method as claimed in claim1, further comprising transmitting a program module identifier togetherwith the checking criterion from the subscriber to a central device. 12.The method as claimed in claim 1, wherein the communications system is acellular radio communications system, the subscriber is a subscriberterminal, and the subscriber terminal is a stationary or mobile radiostation.
 13. The method as claimed in claim 5, further comprisinginstalling the program module at the subscriber only if it has beenreceived without errors.
 14. The method as claimed in claim 13, whereinthe server transmits the program module to a first subscriber, and themethod further comprises: transmitting the program module from the firstsubscriber to a second subscriber; calculating the checking criterionseparately in the security device and at the second subscriber, thechecking criterion being calculated based a key specific to the secondsubscriber and based respectively on the program module transmitted toand received by the second subscriber; and comparing the checkingcriterion calculated in the security device with the checking criterioncalculated at the second subscriber in order to determine whether errorsare contained in the program module received by the second subscriber.15. The method as claimed in claim 14, wherein if the program module hasbeen received with errors, an identifier of the first subscriber whichsent the program module is stored in the security device.
 16. The methodas claimed in claim 15, wherein the key is stored in the securitydevice.
 17. The method as claimed in claim 16, wherein the checkingcriteria calculated by the first and second subscribers are transmittedto a central device in the communications system, and the checkingcriteria are compared in the central device.
 18. The method as claimedin claim 17, further comprising transmitting a program module identifiertogether with the checking criterion from the subscriber to the centraldevice.
 19. The method as claimed in claim 18, wherein thecommunications system is a cellular radio communications system, thesubscriber is a subscriber terminal, and the subscriber terminal is astationary or mobile radio station.
 20. A communications system,comprising: a server to hold a program module; a transmitter to transmitthe program module from the server to a subscriber; a calculation unitprovided at the subscriber to calculate a checksum criterion based onthe program module received from the server and based on a key specificto the subscriber; a security device to calculate a checksum criterionbased on the program module transmitted to the subscriber and based on akey specific to the subscriber; and a central device to compare thechecking criteria to determine whether the program module was receivedwith errors.
 21. A method for providing a program module in acommunications system, comprising: making the program module availablefrom a server, transmitting the program module to a subscriber,calculating a checking criterion every time the program module istransmitted, the checking criterion being separately calculated in asecurity device and at the subscriber, the checking criterion beingcalculated based on the contents of the program module and based on anindividual key associated with the subscriber, and comparing thechecking criterion calculated in the security device with the checkingcriterion calculated at the subscriber in order to determine whethererrors are contained in the program module received by the subscriberwherein the checking criterion is independently calculated in thesecurity device and at the subscriber, the checking criterion iscalculated in the security device and at the subscriber usingcalculations that are substantially the same, and the subscriber useswireless transmission to transmit the checking criterion to a centraldevice where the checking criteria are compared.